>>>>> "Bud" == Bud Rogers <budr@sirinet.net> writes:
Bud> I've always taken for granted the idea that open source was
Bud> inherently more secure because it's open to peer review. Linus
Bud> said "Given enough eyes, all bugs are shallow." But has anyone
Bud> ever done a serious study on the subject? I've seen plenty of
Bud> emotional arguments and anecdotal evidence, but nothing that I
Bud> would consider hard evidence.
I don't have anything solid at the moment, but there are a few
(obvious) things that you could do.
Bugtraq is a relatively good source of information, if you don't take
the numbers for more than they are. For instance, the number of bugs
and the time it takes to discover them typically grow exponentially
with the complexity of the software (or something like that... that's
the subject of another investigation).
You also need to consider release philosophies, because they are very
important in respect to what gets considered as a real security
threat. For instance, most open sourcers release early and often, but
have 'stable' realeases that are generally considered production
strength. Most closed source entities realease only these 'stable'
versions plus bugfix upgrades/service packs. So it's of vital
importance that you are certain about what you are comparing; too many
comparisons on security don't.
I hope you will make your findings publically available, and that I
shall have a opportunity to read them.
Martin
--
GPG public key: http://home1.stofanet.dk/factotum/gpgkey.txt